|
4 | 4 | * Reference: https://scotthelme.co.uk/csp-cheat-sheet/ |
5 | 5 | * |
6 | 6 | * Supports the following: |
7 | | - * - CSP Level 1 |
8 | | - * - CSP Level 2 |
9 | | - * - CSP Level 3 |
| 7 | + * - https://www.w3.org/TR/CSP1/ |
| 8 | + * - https://www.w3.org/TR/CSP2/ |
| 9 | + * - https://www.w3.org/TR/CSP3/ |
10 | 10 | */ |
11 | 11 |
|
12 | | -Prism.languages.csp = { |
13 | | - 'directive': { |
14 | | - pattern: /(^|[^-\da-z])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|prefetch|script|style|worker)-src|disown-opener|form-action|frame-(?:ancestors|options)|input-protection(?:-(?:clip|selectors))?|navigate-to|plugin-types|policy-uri|referrer|reflected-xss|report-(?:to|uri)|require-sri-for|sandbox|(?:script|style)-src-(?:attr|elem)|upgrade-insecure-requests)(?=[^-\da-z]|$)/i, |
15 | | - lookbehind: true, |
16 | | - alias: 'keyword' |
17 | | - }, |
18 | | - 'safe': { |
19 | | - // CSP2 hashes and nonces are base64 values. CSP3 accepts both base64 and base64url values. |
20 | | - // See https://tools.ietf.org/html/rfc4648#section-4 |
21 | | - // See https://tools.ietf.org/html/rfc4648#section-5 |
22 | | - pattern: /'(?:deny|none|report-sample|self|strict-dynamic|top-only|(?:nonce|sha(?:256|384|512))-[-+/\w=]+)'/i, |
23 | | - alias: 'selector' |
24 | | - }, |
25 | | - 'unsafe': { |
26 | | - pattern: /(?:'unsafe-(?:allow-redirects|dynamic|eval|hash-attributes|hashed-attributes|hashes|inline)'|\*)/i, |
27 | | - alias: 'function' |
| 12 | +(function (Prism) { |
| 13 | + |
| 14 | + /** |
| 15 | + * @param {string} source |
| 16 | + * @returns {RegExp} |
| 17 | + */ |
| 18 | + function value(source) { |
| 19 | + return RegExp(/([ \t])/.source + '(?:' + source + ')' + /(?=[\s;]|$)/.source, 'i'); |
28 | 20 | } |
29 | | -}; |
| 21 | + |
| 22 | + Prism.languages.csp = { |
| 23 | + 'directive': { |
| 24 | + pattern: /(^|[\s;])(?:base-uri|block-all-mixed-content|(?:child|connect|default|font|frame|img|manifest|media|object|prefetch|script|style|worker)-src|disown-opener|form-action|frame-(?:ancestors|options)|input-protection(?:-(?:clip|selectors))?|navigate-to|plugin-types|policy-uri|referrer|reflected-xss|report-(?:to|uri)|require-sri-for|sandbox|(?:script|style)-src-(?:attr|elem)|upgrade-insecure-requests)(?=[\s;]|$)/i, |
| 25 | + lookbehind: true, |
| 26 | + alias: 'property' |
| 27 | + }, |
| 28 | + 'scheme': { |
| 29 | + pattern: value(/[a-z][a-z0-9.+-]*:/.source), |
| 30 | + lookbehind: true |
| 31 | + }, |
| 32 | + 'none': { |
| 33 | + pattern: value(/'none'/.source), |
| 34 | + lookbehind: true, |
| 35 | + alias: 'keyword' |
| 36 | + }, |
| 37 | + 'nonce': { |
| 38 | + pattern: value(/'nonce-[-+/\w=]+'/.source), |
| 39 | + lookbehind: true, |
| 40 | + alias: 'number' |
| 41 | + }, |
| 42 | + 'hash': { |
| 43 | + pattern: value(/'sha(?:256|384|512)-[-+/\w=]+'/.source), |
| 44 | + lookbehind: true, |
| 45 | + alias: 'number' |
| 46 | + }, |
| 47 | + 'host': { |
| 48 | + pattern: value( |
| 49 | + /[a-z][a-z0-9.+-]*:\/\/[^\s;,']*/.source + |
| 50 | + '|' + |
| 51 | + /\*[^\s;,']*/.source + |
| 52 | + '|' + |
| 53 | + /[a-z0-9-]+(?:\.[a-z0-9-]+)+(?::[\d*]+)?(?:\/[^\s;,']*)?/.source |
| 54 | + ), |
| 55 | + lookbehind: true, |
| 56 | + alias: 'url', |
| 57 | + inside: { |
| 58 | + 'important': /\*/ |
| 59 | + } |
| 60 | + }, |
| 61 | + 'keyword': [ |
| 62 | + { |
| 63 | + pattern: value(/'unsafe-[a-z-]+'/.source), |
| 64 | + lookbehind: true, |
| 65 | + alias: 'unsafe' |
| 66 | + }, |
| 67 | + { |
| 68 | + pattern: value(/'[a-z-]+'/.source), |
| 69 | + lookbehind: true, |
| 70 | + alias: 'safe' |
| 71 | + }, |
| 72 | + ], |
| 73 | + 'punctuation': /;/ |
| 74 | + }; |
| 75 | + |
| 76 | +}(Prism)); |
0 commit comments